ap0x Posted December 30, 2006 Share Posted December 30, 2006 This is the official RLPack unpackme. Unpacking is considered correct if the unpacked Unpack.exe can unpack crackme.fsg.exe. You can not add ap0x unpacking engine .dll files to unpackme to make it work. You can only use things located inside the challenge archive. Due to the fact that Unpack.exe uses psapi.dll challenge will work only on NT systems. The first one to unpack the official unpackme will get RLPack Full Edition - Personal license! Contact email: ap0x.rce@gmail.com Happy cracking Challange.zip Link to comment Share on other sites More sharing options...
Killboy Posted December 30, 2006 Share Posted December 30, 2006 WTF, I'm getting a trojan warning by that stupid Avast :/Bye bye, license x(Well that's destiny I suppose lol Link to comment Share on other sites More sharing options...
ap0x Posted December 30, 2006 Author Share Posted December 30, 2006 Again problem with your AV I scanned it at virusscann.jotti and it was ok. Try deleting crackme.fsg.exe... Link to comment Share on other sites More sharing options...
pavka Posted December 31, 2006 Share Posted December 31, 2006 OEP to find easy!0040F738 61 popad0040F739 - E9 C218FFFF jmp UnPACK.004010Import it is possible resrore Original without Imprec!0040F69E /0F84 85120000 je UnPACK.004109290040F6A4 |E8 CE090000 call UnPACK.004100770040F6A9 |E8 411E0000 call UnPACK.004114EF<--------0040F6AE |C785 5E230000 00000000 mov dword ptr ss:[ebp+235E],00040F6B8 |8907 mov dword ptr ds:[edi],eax0040F6BA |83C7 04 add edi,4 Link to comment Share on other sites More sharing options...
Teddy Rogers Posted December 31, 2006 Share Posted December 31, 2006 I detect a little bundling going on, nice feature... Ted. Link to comment Share on other sites More sharing options...
pavka Posted December 31, 2006 Share Posted December 31, 2006 Problem only in that what to pull out these 4 dll from memory 003E0000 Link to comment Share on other sites More sharing options...
ap0x Posted December 31, 2006 Author Share Posted December 31, 2006 Well pavka you need to dump and fix all boundled .dll files Nice work... Link to comment Share on other sites More sharing options...
Killboy Posted December 31, 2006 Share Posted December 31, 2006 Well, it even stops me from downloading xD Win32:Banker-BKO [Trj] lol I wouldn't be able to unpack it anyway, I guess. So no harm done Link to comment Share on other sites More sharing options...
cektop Posted December 31, 2006 Share Posted December 31, 2006 Well, dude it doesn't matter. It surely doesn't have anything evil in it I took a look at this. Got 3 dlls and I think I can get another one, got IAT, got dump but having probs fixing dialog resource... Link to comment Share on other sites More sharing options...
pavka Posted December 31, 2006 Share Posted December 31, 2006 Thanks ap0x! It was interesting! All is ready http://rapidshare.com/files/9671267/Challange.rar Link to comment Share on other sites More sharing options...
ap0x Posted January 1, 2007 Author Share Posted January 1, 2007 Great work pavka. You forgot one import from shell32.dll but no matter you are successfull Please register over at my forum so I can give you the license Link to comment Share on other sites More sharing options...
Guest Haggar Posted January 1, 2007 Share Posted January 1, 2007 Hy folks, Happy New Year also. Tip: You don't need to use ImpREC neither for main executable, neither for DLLs. For DLLs: No patching, magic jumps, rebuilding , realigning or something else. Just RAW DUMP AT THE RIGHT TIME Link to comment Share on other sites More sharing options...
pavka Posted January 1, 2007 Share Posted January 1, 2007 ap0xI do not know where a forum ? Link to comment Share on other sites More sharing options...
cond0lence Posted January 1, 2007 Share Posted January 1, 2007 @pavka:http://ap0x.jezgra.net/forum/ Link to comment Share on other sites More sharing options...
Apakekdah Posted January 1, 2007 Share Posted January 1, 2007 Hy folks, Happy New Year also.Tip: You don't need to use ImpREC neither for main executable, neither for DLLs. For DLLs: No patching, magic jumps, rebuilding , realigning or something else. Just RAW DUMP AT THE RIGHT TIME raw dump ? how to do that (RAW DUMP) ? Link to comment Share on other sites More sharing options...
ap0x Posted January 2, 2007 Author Share Posted January 2, 2007 deroko wrote a tut, it is attached here http://forums.accessroot.com/index.php?sho...=4750&st=20 Link to comment Share on other sites More sharing options...
Guest Haggar Posted January 2, 2007 Share Posted January 2, 2007 raw dump ? how to do that (RAW DUMP) ? Packer will reserve some memory for one DLL with VirtualAlloc. Then it will write DLL there. Writing loop is: 0041088C 8A06 MOV AL,BYTE PTR DS:[ESI]0041088E 8801 MOV BYTE PTR DS:[ECX],AL00410890 46 INC ESI ; UnPACK.0040B2D900410891 41 INC ECX00410892 4F DEC EDI00410893 83FF 00 CMP EDI,000410896 ^77 F4 JA SHORT UnPACK.0041088C After that loop ends, you dump that region of memory with LordPE and just save file as NameOF.DLL. After this loop , packer writes imports to DLL so later dumping would get bad dump. Link to comment Share on other sites More sharing options...
Apakekdah Posted January 2, 2007 Share Posted January 2, 2007 @ap0x finally my question was answered... thx, bro from remind me, i'm looking for that tuts... @Haggar oh i c, thx for the info, i'm trying now... Link to comment Share on other sites More sharing options...
cektop Posted January 2, 2007 Share Posted January 2, 2007 That just means plain dump without fixing anything. Btw, I have a question, pavka, did you have to fix resources or you got a better dump than me? Link to comment Share on other sites More sharing options...
pavka Posted January 2, 2007 Share Posted January 2, 2007 cektopI not fix resources ! To do dump it is necessary right after captures of import! Link to comment Share on other sites More sharing options...
cektop Posted January 2, 2007 Share Posted January 2, 2007 lol That was the problem I didn't use some Olly plugin to dump but one tool I have that replaced memory it couldn't read with 0 bytes Link to comment Share on other sites More sharing options...
pavka Posted January 3, 2007 Share Posted January 3, 2007 LOL? Forgive, to what it concerns? If to make dump in the necessary place what problems will not be! Link to comment Share on other sites More sharing options...
cektop Posted January 3, 2007 Share Posted January 3, 2007 Sorry, I didn't understand your post. Anyway, I said I should have used an Olly plugin for dumping since outside tools can't access all pages of process memory. I'm out of touch. Haven't been cracking for years... Link to comment Share on other sites More sharing options...
pavka Posted January 4, 2007 Share Posted January 4, 2007 cektopHere to you an example! 0049C222 68 00400000 push 4000 <------------Dump it0049C227 68 0D190000 push 190D0049C22C FFB5 471F0000 push dword ptr ss:[ebp+1F47]0049C232 FF95 FE030000 call dword ptr ss:[ebp+3FE]0049C238 E8 06050000 call 1_.0049C7430049C23D E8 A7000000 call 1_.0049C2E90049C242 61 popad0049C243 - E9 68AFF8FF jmp 1_.004271B0<--------OEPIt is necessary dump it not reaching up to оеп in this place! If you use ImpRec that start it from this point!And last advice! Do not create new section for import, and rewrite old!Than to do dump, not important! I did OLLyDump Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now